DNS was always a thorn in my side. I never liked the way it was a single point of failure and the first thing attackers looked at when analyzing traffic. Luckily with things like DoH[0], looking at DNS traffic is a lot less invasive in terms of privacy.
And even more lucky, and something that serves us all is Mozilla's attempt to bake this as the default (DoH) in their mainline browsers. My only complaint being that they use Cloudflare as the default & Cloudflare acts as a honeypot for Internet traffic. If they (Mozilla) could move away from Cloudflare as a partner then that would be great. (Of course this demands a new privacy-respecting provider to serve requests for the user :p)
True, however the failure rate of all of the webservers you might want to connect to is much lower than the DNS server's.
Moreover, the DNS failure might not come from the DNS server, but a misconfigured computer/router/DHCP server, etc. And it depends a lot on your DNS server itself. It is a single point (chain, if you want) of failure, and tends to fail quite often, in my experience.
That hasn't been my experience w/ DNS. If you want to pick on single points of failure, there is a whole chain of SPOFs all the way between you and the server you are connecting to. Many of them can't fail over. At least with DNS there is generally a good failover configured by default.
What about the failure rate of all the DNS servers? It's not like someone set up a Windows Server box and we all share it. Google's DNS server at 8.8.8.8 for example uses some sort of complex multihoming/multicast setup and is globally distributed. I trust DNS to work more than any other service on the internet. It's a triumph of software engineering. The Roman aqueduct of the internet.
AFAIK they use Anycast for the multihoming [0] - It follows the normal routing process, but the anycasted network is announced from multiple sites instead of just one.
AFAIK Google have ~19 data centres, and DNS / 8.8.8.8 is probably being served from all or most of them. So it is indeed very reliable.
> Moreover, the DNS failure might not come from the DNS server, but a misconfigured computer/router/DHCP server, etc. And it depends a lot on your DNS server itself. It is a single point (chain, if you want) of failure, and tends to fail quite often, in my experience.
Misconfigured networking is going to make networking fail anyway. DNS is an amazingly resilient system since it has had decades to mature.
My biggest concern is that Mozilla do not offer the option of using DoT (at least in the current stable channel). You can configure a different DoH server, but not a DoT server.
And even more lucky, and something that serves us all is Mozilla's attempt to bake this as the default (DoH) in their mainline browsers. My only complaint being that they use Cloudflare as the default & Cloudflare acts as a honeypot for Internet traffic. If they (Mozilla) could move away from Cloudflare as a partner then that would be great. (Of course this demands a new privacy-respecting provider to serve requests for the user :p)
[0] https://en.wikipedia.org/wiki/DNS_over_HTTPS